Snort mailing list archives
Re: Firing off Abuse email based on Snort Traffic
From: "Michael H. Warfield" <mhw () wittsend com>
Date: Thu, 29 May 2003 23:45:53 -0400
On Thu, May 29, 2003 at 04:03:20PM -0700, Matt Howell wrote:
On Thu, 2003-05-29 at 15:44, Erek Adams wrote:For the most part I'd have to side with Matt Kettler on this. I've worked in Security and Abuse at a large ISP before... If I got multiple emails that say 'One of your dialup users portscanned X machines on my network', I'd be real tempted to add that email address to the /dev/null procmail filter.
As I mentioned in my previous post, I am looking for something that sends 1 email per ISP per every 48 - 72 Hour period. Having worked in my clients' own IT department, I know the frustration of being spammed with support requests.
To put it bluntly... Don't do it. Even that can be turned against you... It has happend before... It will happen again... You could be next. Take it right out of that stupid new TV show... You could be next... Actual occurance... Set your way-back machine Mister Peabody to a couple of years ago when a "well known" security professional (who shall remain un-named to protect the guilty and terminally (sic, sorry pun alert) stupid) set up his site to E-Mail back nasty grams when anyone connected to his telnet port. Anyone connecting to this in-DUH-vidual's site got a nasty banner about attempting to hack his site. He also sent E-Mail to abuse and postmaster and root and the POC (Point of Contact) addresses for the source domain, network address assignment, domain DNS servers, and network address DNS administrators. About a dozen or so E-Mails would typically be generated for this rather degenerate "port scan" if you will... So... Word got out... Snickers round about... Looks exchanged... Plots were laid... A page was created... A web page... And such a page it was... It was a page with mighty pr0n. A glorious thing to behold. And in amoungst the pr0n where image tags. And such image tags they were. Image tags that were web bugs they were. Web bugs pointing to said security professional's site and port number... And this glorious thing of dark art was left to mature in the rich fertile fields of web spiders... Within a week or so of the web spiders doing their jobs and that glorious page of old making an appearance amongst the high hitters in the pr0n searches, said researcher's site was emitting E-Mail like the big bang (sic, damn, two puns in one message - damn....) all over again directed at thousands of administrators of sites all over the world for poor unsuspecting pr0n afficienados who browsed this page. Of course, he and the admins could not tell WHAT page generated the action that caused sooo much consternation and heaven forbid the individuals (when and where they could be identified) who browsed said page even remember (much less admit) what page they browsed... For the record... I am neither that security researcher (though he and I cross swords on occasion on several mailing lists) nor am I one of the perps that made a flaming fool of him (DAMN! Missed one hell of an opportunity there... I swear I would have been there with bells one...). Any reaction system is prone to being turned against you the moment an adversary figures out what you are doing. Always take that into consideration. If you do this... What happens when they figure it out and do that in response... You can rate limit to one message to a particular address or E-Mail per day or so but what happens when someone sets it up to be triggered by a couple thousand different sites? And then YOU have to deal with the responding backscatter of bitches and complaints AND ROBOTS AND AUTORESPONDERS...
To be quite honest, don't send email. It's almost a waste of time in many cases. Your best result is to actually pick up the phone and call. Direct interaction with someone is an excellent way to get something done. The person on the phone might actually hear the urgency in your voice, where 'reading the urgency' from an email just might not happen.
I totally agree. Unfortunately, a considerable amount of our scans are coming from the Asia Pacific area. APNIC often only returns an email address for abuse and no phone number. The client that I am involved with currently, is in the Medical field and has ramped up recent security efforts in response to the recent HIPAA regulations and dramatic network compromises (thus the reason Snort was deployed).
The two IP addresses in the original message came from Australla and Korea. Good luck on getting anything done. Anything you do is just, AT BEST, an exercise in auto-eroticism. If it makes you feel good, go for it. Just don't expect much in return. And expect some sensitive questions and some very quier looks if you get caught at it. You can neither proclaim ignorance nor innocence, when you do.
How do other administrators handle genuine attacks and Portscans from International sources?
Port scans... Ignore. International or otherwise. Ignore. There is even a legal (in USA - GA) precident... Port scans are not illegal and you can NOT claim damages even if you expend resources and money in response.
-Matt
------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachment:
_bin
Description:
Current thread:
- Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- RE: Firing off Abuse email based on Snort Traffic dave (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Erek Adams (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Skip Carter (May 29)
- Re: Firing off Abuse email based on Snort Traffic Budi Rahardjo (May 29)
- Re: Firing off Abuse email based on Snort Traffic Michael H. Warfield (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- Re: [OT] Firing off Abuse email based on Snort Traffic Matt Howell (May 30)
- Re: [OT] Firing off Abuse email based on Snort Traffic james (May 30)
- <Possible follow-ups>
- RE: Firing off Abuse email based on Snort Traffic bmcdowell (May 29)
- RE: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- RE: Firing off Abuse email based on Snort Traffic Donofrio, Lewis (May 29)